[unisog] Re: OpenSSL worm in the wild

Andreas Östling andreaso at it.su.se
Fri Sep 13 17:04:47 EDT 2002


> > I'd like to request IP addresses of hosts that have been compromised or
> > that are currently attacking systems from anyone who is comfortable
> > sharing this information.  We wish to run it through TMS (formerly
> > known as ARIS) to see how quickly it is propagating.
...

While I've not yet seen any worm activity, I thought I'd mention that
yesterday, we detected a successful non-worm break-in on a Linux machine
(Mandrake with Apache 1.3.20) where a flaw was exploited over SSL
(perhaps the same flaw that the worm uses). It was detected by having
Snort watch for certain cleartext strings in 443/tcp traffic (see
snort-sigs list archive). Argus logs also exist, if anyone is interested.

Does anyone have any Apache logs showing a successful break-in of the
worm? On the cracked Linux machine, this could be found in ssl_engine_log:

[12/Sep/2002 15:26:20 28181] [info]  Connection: Client IP: attacker_ip, Protocol: SSLv2, Cipher: RC4-MD5 (128/128 bits)
[12/Sep/2002 15:26:20 28182] [error] SSL handshake failed (server victim_ip:443, client attacker_ip) (OpenSSL library error follows)
[12/Sep/2002 15:26:20 28182] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[12/Sep/2002 15:31:11 06311] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:11 09981] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
...
[12/Sep/2002 15:31:11 24305] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:12 28162] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28163] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28164] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:12 28145] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:13 28165] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28166] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28167] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28168] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:12 28146] [error] SSL handshake timed out (client attacker_ip, server victim_ip:443)
[12/Sep/2002 15:31:13 28178] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28177] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
...
[12/Sep/2002 15:31:13 28172] [info]  Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
[12/Sep/2002 15:31:13 28181] [info]  Connection to child 30 closed with standard shutdown (server victim_ip:443, client attacker_ip)


And then eth0 entered promiscuous mode (dsniff was installed), attacker_ip
logs in via a backdoor etc.


Regards,
Andreas Östling



More information about the argus mailing list